Hybrid cloud security fundamentals: 4 things to know

Here are the core issues about hybrid cloud security that IT leaders should understand – and be able to explain to others in the organization

By

on

March 08, 2018

As with any significant IT change, adopting a hybrid cloud model requires revisiting your security practices. Done right, hybrid cloud should help improve security. The flexibility that comes with multiple environments, each with their own benefits and attendant costs, enables IT leaders to keep some types of sensitive or critical data on-premises, for example, while still embracing the enormous potential of private and public clouds.

However, security must be a visible piece of your overall hybrid cloud strategy, or you might be introducing new risks without taking the appropriate steps to mitigate them.

“There is no denying that hybrid cloud infrastructure is part of the new business reality,” says Guy Peer, VP of R&D and co-founder at Unbound. “Therefore, IT leaders must make hybrid cloud security a priority, if they haven’t already.”

In this post, we examine several fundamental issues IT leaders need to consider (and often, explain to others in the organization.) Think of it as “hybrid cloud security 101.” In a subsequent post, we’ll highlight strategies for managing these issues and strengthening your hybrid cloud security posture.

1. Perimeter security approaches fall short

Simply put, the traditional tools and strategies for defending your network perimeter are no longer adequate when you move to a hybrid model that likely includes both private and public cloud environments, as well as on-premises or traditional data center infrastructure.

“IT leaders need to understand that their carefully defined and maintained network perimeters are simply no longer sufficient,” says David Emerson, VP and deputy CISO at Cyxtera. “Hybrid cloud is becoming the new normal for enterprise infrastructures, and those enterprises must adapt, rather than fight change and insist on traditional security measures.”

As hybrid cloud architectures become increasingly common, IT pros will need to reboot their perimeter-oriented approaches, because the “perimeter” has radically expanded and changed.

“Most organizations will use a combination of on-premise with multiple cloud workloads on different public or private clouds,” says Unbound’s Peer. “With this type of environment, perimeter security won’t cut it.”

2. Your threat surface is now distributed

Here’s a fundamental reason why traditional perimeter security is not going to suffice in a hybrid cloud infrastructure: You’re now running workloads in different environments, spanning traditional on-premises infrastructure, private clouds, and public clouds. Given that flexibility is one of the strong appeals of hybrid cloud, you’re also likely moving data between these different environments based on your evolving business and technical needs.

Even your approaches to traditional processes such as security fixes and updates need to be revisited.

This means new approaches and best practices are necessary to ensure the security of your data across various environments. Even your approaches to traditional processes such as security fixes and updates need to be revisited. As Red Hat chief architect Matt Smith recently noted to us, automation plays a key role for companies that want to deal with updates wisely in the hybrid era. (Read the full article: 12 bad enterprise security habits to break.)

Each type of environment in a hybrid architecture – and even each of your potential providers – comes with different security considerations and risks. There’s no uniform approach to hybrid cloud security because you’re no longer operating a uniform, homogenous infrastructure.

“IT leaders should know that they have different security needs dependent on what the workload is, and what environment it resides in,” says Michael Fuhrman, chief product officer at Flexential. “A ‘one-size-fits-all’ strategy will not be effective in properly securing your workloads.”

This is essentially a cost-benefit tradeoff that, again, comes with any significant IT change. Here’s a quick example from Laurence Pitt, global security strategy director at Juniper Networks:

“The scale and flexibility provided by hybrid cloud means that users can access multiple environments, but this also introduces the risk that departments may spin-up ‘shadow IT’ servers on IaaS, which will not be visible to, or managed by, enterprise IT security policy,” he explains.

Keep such considerations top of mind when bringing your overall security strategy into alignment with a hybrid cloud strategy. Speaking of which...

3. Think new tools, processes, and policies

A move to a hybrid cloud model, simply put, requires new security tools and practices. You shouldn’t throw out your entire security playbook, but you do need to revisit and revise it.

“Organizations need to embrace new tools, strategies, and mindsets to achieve a healthy security posture for all of their infrastructure investments both on-premise and in the cloud,” Goyal says.

Increasing hybrid cloud adoption, along with related trends such as containers and microservices, is a key reason we’re hearing about rising interest in DevSecOps.

For example, in the age of hybrid, unified management and resource pooling across a variety of infrastructures become key, writes Red Hat technology evangelist Gordon Haff. “Even if a given organization isn’t using public cloud resources (yet), they are likely already hybrid in the sense of operating multiple infrastructure platforms, such as for virtualization; hybrid cloud management can help to unify these under a single management interface,” he notes. “Unified management can also give IT shops a consolidated view of geographically distributed virtualized resources for allocation, capacity planning, and chargeback purposes.” (See Haff's full blog, Managing your hybrid cloud.)

Maybe you’re already tweaking your security processes to match the DevOps way of working – baking in security earlier in the development process: It’s often called DevSecOps.

Increasing hybrid cloud adoption, along with related trends such as containers and microservices, is a key reason we’re hearing about rising interest in DevSecOps.

It’s a logical evolution of DevOps culture as IT leaders realize the need for new security approaches in the age of continuous delivery and continuous integration, and increasingly distributed environments and architectures.

4. Beware the “move and forget” mindset

For a smaller business with limited or no real IT resources, blindly trusting a cloud provider might be a matter of convenience or necessity.

CIOs and other IT leaders, on the other hand, must avoid the temptation to confuse distributed or shared risk with offloading risk entirely.

“The biggest risk in moving to hybrid cloud is that an enterprise will treat this as an opportunity to ‘move and forget,’ believing that the cloud provider will have security standards in place to ensure ongoing protection and compliance,” says Pitt of Juniper Networks.

“This means you need to be diligent about keeping your providers accountable for their controls,” says Brian Wilson, CISO at SAS. “How do you know they will never have access to your data unencrypted? And can they confirm that it is possible without you paying extra or requiring you to go through a cloud access security broker (CASB)? Make sure the details are spelled out in your contracts and review those contracts and vendor policies regularly.”

This may be one of the more overlooked fundamentals of hybrid cloud security – so pay attention to it and know how to explain it to others in your organization. They will have plenty of questions, down to the application level.

MORE ON HYBRID CLOUD

“It is essential to maintain oversight of how data and applications are being protected in different cloud environments,” Pitt says. Even in hybrid cloud and multi-cloud environments, the buck still stops with you.

Tags:

Kevin Casey writes about technology and business for a variety of publications. He won an Azbee Award, given by the American Society of Business Publication Editors, for his InformationWeek.com story, "Are You Too Old For IT?" He's a former community choice honoree in the Small Business Influencer Awards.

Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.

About This Site

The Enterprisers Project is an online publication and community focused on connecting CIOs and senior IT leaders with the "who, what, and how" of IT-driven business innovation.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. The Enterprisers Project aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. Red Hat and the Shadowman logo are trademarks of Red Hat, Inc., registered in the United States and other countries.

A note on advertising: The Enterprisers Project does not sell advertising on the site or in any of its newsletters.